CVE-2026-30652
Authenticated Remote Code Execution in Vivotek FD8136 Cameras
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vivotek | fd8136 | fd8136-vvtk-0300a |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary code as root on the affected VIVOTEK FD8136 camera.
An attacker who successfully exploits this flaw can gain full control over the device, potentially leading to unauthorized access, manipulation of camera functions, or use of the device as a foothold for further attacks within a network.
Because the attacker gains root privileges, they can bypass security controls, install malicious software, or disrupt normal device operations.
Can you explain this vulnerability to me?
CVE-2026-30652 is an authenticated stack buffer overflow vulnerability in the VIVOTEK FD8136 camera running firmware version FD8136-VVTK-0300a.
The flaw exists in the set_getdido.cgi binary, which handles the /cgi-bin/dido/setdo.cgi endpoint for managing digital input/output configurations.
The vulnerability occurs because the binary reads the raw POST request body into a fixed-size stack buffer of about 0xc4 bytes without checking the input length.
By sending a POST request with a body longer than this buffer size, an attacker can overflow the buffer and overwrite the saved link register on the stack.
This allows the attacker to redirect the program's control flow and execute arbitrary commands with root privileges on the device.
The binary runs as root and lacks stack canaries or other memory protections, making exploitation straightforward.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable Vivotek FD8136 camera firmware version FD8136-VVTK-0300a and by monitoring for POST requests to the /cgi-bin/dido/setdo.cgi endpoint.
Specifically, you can look for authenticated POST requests with unusually large payloads (greater than 0xc4 bytes) sent to the /cgi-bin/dido/setdo.cgi endpoint, which may indicate attempts to exploit the buffer overflow.
Example commands to detect such activity might include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the endpoint:
- tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) > 196)' | grep '/cgi-bin/dido/setdo.cgi'
- Using curl or similar tools to test the endpoint with payloads of varying sizes to see if the device responds abnormally or crashes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/dido/setdo.cgi endpoint to trusted users only, as exploitation requires authentication.
Additionally, monitor and block POST requests with payloads larger than 0xc4 bytes to this endpoint to prevent buffer overflow attempts.
If possible, update the firmware of the Vivotek FD8136 camera to a version that patches this vulnerability once it becomes available.
Until a patch is available, consider isolating the device from untrusted networks and enforcing strong authentication controls.